How to Monitor Servers in a Vultr Virtual Private Cloud (VPC) with Checkmk

Introduction

Checkmk is a monitoring application that keeps track of your servers, networks, containers, databases, and installed applications. It follows the client-server model and offers a web dashboard through which you can track the uptime and status of configured hosts.

This article explains how you can monitor servers in a Vultr Virtual Private Cloud (VPC) using Checkmk. After installing Checkmk on the main VPC server, it explains how to monitor three server instances, running Ubuntu 22.04, Rocky Linux 8, and Windows 2022 respectively, on a single VPC network. The VPC and all three server instances must be in the same Vultr location.

Prerequisites

To complete this guide, you'll need a registered domain name and ability to update DNS for that domain.

Preliminary Steps

1. Choose a Vultr location and deploy a Virtual Private Cloud (VPC).
2. Deploy two servers instances: Ubuntu 22.04 and Rocky Linux 8. The Ubuntu server is the main Checkmk server. > Note: Make sure to attach the VPC when deploying these so that cloud-init can configure the VPC network adapters for you.
3. Deploy a Windows 2022 server.
4. Windows does not use cloud-init, so you need to manually configure the VPC after deployment. After you complete this step, all three servers are connected to the same VPC and can ping each other.
5. Create a non-root user with sudo rights on the Ubuntu and Rocky Linux servers.
6. Set up NTP on Ubuntu and Rocky Linux to ensure that all monitoring functions use the correct system time.

1. Install Checkmk on the main VPC Server

In this step, you'll install Checkmk on the Ubuntu server, which will monitor the other hosts attached to the VPC.

Create a domain A record that points a fully-qualified domain name (FQDN) to the Ubuntu server's IP address. This guide uses the example FQDN checkmk.example.com. See our guide if you use Vultr DNS.

1. SSH to the server and log in as a non-root user with sudo rights.

   $ ssh example-user@192.0.2.1
   

2. Update the server.

   $ sudo apt update
   

3. Change the server hostname to your domain name.

   $ sudo hostnamectl set-hostname checkmk.example.com
   

4. Download the latest Checkmk release file for Ubuntu from the official website.

   $ wget https://download.checkmk.com/checkmk/2.1.0p8/check-mk-raw-2.1.0p8_0.jammy_amd64.deb
   

5. Install the Checkmk package on your server.

   $ sudo dpkg -i check-mk-raw-2.1.0p8_0.jammy_amd64.deb
   

6. Enter Y to install all necessary dependencies on your server.

   If you receive any errors, run the following command and enter yes to install missing dependencies.

   $ sudo apt --fix-broken install
   

7. Verify that Checkmk is properly installed by querying the installed omd version.

   $ omd version
   

   Output:

   OMD - Open Monitoring Distribution Version 2.1.0p8.cre
   

2. Create a Checkmk Monitoring Site

1. Create your first Checkmk monitoring site. Replace myvpc-site with your preferred site name.

   $ sudo omd create myvpc_site
   

   Output:

   Creating temporary filesystem /omd/sites/myvpc_site/tmp...OK
   Updating core configuration...
   Generating configuration for core (type nagios)...
   Precompiling host checks...OK
   Executing post-create script "01_create-sample-config.py"...OK
   Restarting Apache...OK
   Created new site myvpc_site with version 2.1.0p8.cre.
   
    The site can be started with omd start myvpc_site.
    The default web UI is available at http://checkmk.example.com/myvpc_site/
   
    The admin user for the web applications is cmkadmin with password: Tcbhseyf
    For command line administration of the site, log in with 'omd su myvpc_site'.
    After logging in, you can change the password for cmkadmin with 'htpasswd etc/htpasswd cmkadmin'.
   

   Keep note of your assigned administrator username and password. If you changed the server hostname to your domain, a full working URL should display in the command output.

2. Start the Checkmk site.

   $ sudo omd start myvpc_site
   

3. Security

By default, Checkmk receives agent requests on port 8000 for the first site and increments the port number per extra site created.

1. Allow port 8000 through the firewall.

   $ sudo ufw allow 8000/tcp
   

2. Allow the Apache HTTP Port 80 to enable access to the Checkmk web interface.

   $ sudo ufw allow 80/tcp
   

3. Allow HTTPS connections on port 443.

   $ sudo ufw allow 443/tcp
   

4. Restart the firewall to save changes.

   $ sudo ufw reload
   

4. Enable HTTPS

1. Using a text editor, edit the default Apache virtual host file.

   $ sudo nano /etc/apache2/sites-available/000-default.conf
   

2. Find the following commented directive.

   #ServerName www.example.com
   

3. Uncomment it, and enter your domain name.

   ServerName checkmk.example.com
   

4. Restart Apache.

   $ sudo service apache2 restart
   

5. Install the Certbot Let's Encrypt client.

   $ sudo snap install --classic certbot
   

6. Request for a free SSL certificate. Replace checkmk.example.com with your domain name, and hello@example.com with your email address.

   $ sudo certbot --apache -d checkmk.example.com -m hello@example.com --agree-tos
   

7. Test SSL certificate auto-renewal.

   $ sudo certbot renew --dry-run
   

8. Restart Apache to save changes.

   $ sudo service apache2 restart
   

5. Set up the Checkmk Server

1. Using your preferred desktop web browser, visit your Checkmk site.

   https://checkmk.example.com/myvpc_site
   

2. Log in with the administrator username cmkadmin, and the random password generated by the installer.

3. On the main Checkmk web dashboard, click Setup on the left navigation menu.
4. Find and click Users from the sub-menu options.
5. Click the Pencil icon to edit the Cmkadmin user information.
6. Enter your email in the Email address field.
7. Navigate to the Security section, and enter a new strong password in the Authentication fields.
8. Click Save, and locate the 1 change orange warning on the top right to activate changes.
9. To create any additional user accounts, click Add user and fill in the new user form.

Note that you can delete the cmkadmin user account when you create a new administrator, but should not delete the automation user as it’s used with automation tools.

6. Configure Monitoring Agents

Checkmk uses monitoring agents to send and receive vital information on all system services. You can download a monitoring agent directly from the main Checkmk server and install it on your target client in the VPC network.

1. Navigate to the Checkmk Web dashboard and click Setup.
2. Select your Linux under the Agents sub-menu option.
3. Find the check-mk-agent-<version>.noarch.rpm file, right click and select Copy Link Address from your list of browser options to copy it to the clipboard.
4. Access your Rocky Linux 8 server to install the file.

7. Setup Checkmk monitoring on Rocky Linux

1. SSH and log in to the Rocky Linux 8 server as a non-root sudo user.

   $ ssh example-user@192.0.2.1
   

2. Download the Checkmk monitoring agent from your main Checkmk server.

   $ wget https://checkmk.example.com/myvpc-site/check_mk/agents/check-mk-agent-2.1.0p6-1.noarch.rpm
   

3. Install the Checkmk agent package.

   $ sudo dnf install check-mk-agent-2.1.0p6-1.noarch.rpm 
   

4. Verify that the agent is installed.

   $ check_mk_agent
   

   Your output should look similar to:

    <<<job>>>
    <<<chrony:cached(1658403210,30)>>>
    Reference ID    : 94253D12 (2001:19f0:200:144b::1000)
    Stratum         : 3
    Ref time (UTC)  : Thu Jul 21 11:31:06 2022
    System time     : 0.000072729 seconds fast of NTP time
    Last offset     : +0.000043839 seconds
    RMS offset      : 0.000704368 seconds
    Frequency       : 18.389 ppm fast
    Residual freq   : +0.001 ppm
    Skew            : 0.017 ppm
    Root delay      : 0.081640661 seconds
    Root dispersion : 0.009934294 seconds
    Update interval : 1030.7 seconds
    Leap status     : Normal
    <<<local:sep(0)>>>
   

Configure the Rocky Linux Firewall

By default, Firewalld is active on Rocky Linux. Follow these steps to allow the Checkmk agent to receive monitoring requests on the default port 6556 over the VPC network.

1. Create a new zone. Replace myVPC with your preferred label.

   $ sudo firewall-cmd --new-zone=myVPC --permanent
   

2. Assign the zone to the VPC network.

   $ sudo firewall-cmd --zone=myVPC --add-source=10.24.96.0/20 --permanent
   

3. Allow the Checkmk agent port 6556 on the zone.

   $ sudo firewall-cmd --zone=myVPC --add-port=6556/tcp --permanent
   

4. Restart the firewall to save changes.

   $ sudo firewall-cmd --reload
   

8. Add the Rocky Linux Host to the Checkmk Server

1. In a web browser, access the Checkmk server.

   https://checkmk.example.com/myvpc_site
   

2. Navigate to Setup, and click Hosts.

3. Click Add host to the monitoring.
4. In the Hostname field, enter your first monitoring agent hostname.
5. Toggle IPV4 address, and enter your Rocky Linux VPC address.
6. Click Save & go to service configuration to scan all services available on the server.
7. All available services are ready for monitoring, click Accept all to save the host.

9. Set up Checkmk Monitoring on Windows Server

1. Use the Remote Desktop Protocol (RDP) to connect to the remote Vultr Windows Server as an Administrative user.
2. Open the Microsoft Edge web browser from the Windows Start Menu.

3. Enter your Checkmk server address in the URL bar.

   https://checkmk.example.com/myvpc_site
   

4. Log in to the Checkmk server using your administrator username and password.

5. Navigate to Setup, and click Windows in the Agents sub-menu.
6. In the Packaged Agents section, click checkmkagent.msi to download the package.
7. Open the Checkmk package to install it on your server.
8. In the installation wizard, click Next, accept the product license agreement, select Clean installation, and follow all prompts to finish installation on your Windows Server.
9. From the Windows Start menu, open the windows command prompt by expanding the Windows System group.

10. Enter the following command to verify that the Checkmk agent is properly installed.

    > "C:\Program Files (x86)\checkmk\service\cmk-agent-ctl.exe" status
    

    Your output should look like the one below:

     Version: 2.1.0p8
     Agent socket: operational
     IP allowlist: any
     Legacy mode: enabled
     No connections
    

11. The Checkmk agent creates all necessary firewall rules. Open the command prompt and ping the Checkmk server VPC address to verify if you have a connection to the server.

    > ping 192.0.2.1
    

12. To restrict the Checkmk agent to only VPC connections, navigate to Windows Defender with Firewall under the Windows Administrative Tools group on the start menu.

13. Click Inbound Rules on the left navigation menu.
14. Find the Checkmk Agent rule, right-click, and select Properties from the list.
15. Navigate to Advanced in the open properties window.
16. Uncheck Public, Domain and keep Private checked.
17. Click OK to save changes.

10. Add the Windows Host to the Checkmk Server

1. Open Microsoft Edge from the Windows Start Menu.

2. Access your Checkmk server.

   https://checkmk.example.com/myvpc_site
   

3. Navigate back to Hosts, and set up the Windows Server Checkmk agent.

4. Enter your preferred Hostname for the Windows server.
5. Toggle IPV4 address, and enter the Windows Server VPC network address.
6. Click Save & go to service configuration to finish set up, and setup the Checkmk agent to send data to the server.
7. Open the Windows Command prompt.

8. Enter the following commands to establish a connection to the server. Replace windows-host with your actual hostname,192.0.2.1 with the Checkmk server VPC network address, and strong-password with the actual cmkadmin password you set earlier.

   "C:\Program Files (x86)\checkmk\service\cmk-agent-ctl.exe" ^ register ^ --hostname windows-host ^ --server 192.0.2.1 --site myvpc_site ^ --user cmkadmin --password strong-password
   

   Your output should look similar to:

    Attempting to register at 192.0.2.1:8000/myvpc_site. Server certificate details:
   
    PEM-encoded certificate:
    -----BEGIN CERTIFICATE-----
    MIIC8TCCAdmgAwIBAgIUcNQ97zkUr3VZO145hYSSzwsoIvUwDQYJKoZIhvcNAQEL
    BQAwJTEjMCEGA1UEAwwaU2l0ZSAnbXl2cGNfc2l0ZScgbG9jYWwgQ0EwIBcNMjIw
    NzIxMTMxOTA0WhgPMzAyMDExMjExMzE5MDRaMBUxEzARBgNVBAMMCm15dnBjX3Np
    vIIo8dYGwdwZBeresgWIgJuWVdSbdq4CuzLd+U+o2oYY4SmQdQ==
    -----END CERTIFICATE-----
   
    Issued by:
        Site 'myvpc_site' local CA
    Issued to:
        myvpc_site
    Validity:
        From Thu, 21 Jul 2022 13:19:04 +0000
        To   Tue, 21 Nov 3020 13:19:04 +0000
   
    Do you want to establish this connection? [Y/n]
    >
   

9. Enter Y to establish a connection to the Checkmk server. If the connection fails, make sure that port 8000 is open on the main server firewall, or confirm that you created the Host on the Checkmk server before initiating the agent connection.

10. Access the Checkmk web interface, and click Rescan on the Services of host page.
11. When the scan is complete, click Accept all to monitor all services on the Windows Server.
12. Click the orange changes warning on the top right, and select Activate on selected sites to activate all hosts on the Checkmk server.
13. To monitor all registered hosts and services, navigate to Monitor, and click All hosts under the Overview sub-menu.

Conclusion

You have successfully installed Checkmk and set up monitoring for servers in a single Vultr Virtual Private Cloud (VPC). Server monitoring is fast with low latency when monitored servers are on the same private network. It's also possible to monitor other servers over the public internet, although the latency will be higher.

To track services on the main Checkmk server, install the Checkmk agent,and add the host with the address 127.0.0.1 to your Checkmk web interface as explained in this article.

More Information

For more information on how you can use Checkmk and monitor more services on your servers. Please visit the following articles.

• Checkmk documentation
• Monitoring web servers with Checkmk